Description
If you are logged out and at a url containing an encoded # (i.e., %23), and then you click 'sign in' and complete the sign-in, you end up at the original url but with an actual # in it instead of a %23.
In the first navigation (upon clicking 'sign in') you are brought to a page with a ?redirect_to= value containing %2523, which seems correct. The set-cookie header that's returned also contains %2523, which I think is correct. It's not going through the layer of query param encoding, but it is going through the layer of cookie header encoding.
In the second navigation (upon entering your username/password and clicking 'sign in'), the redirect from the server has a location header that includes a # though, which is definitely incorrect.
This is on Gitea version 1e2da5d